Yesterday, the Ministry of Finance of the Netherlands published the details regarding AMLD5 implementation, including the regime for crypto exchanges and (custodial) wallet providers. This article highlights a number of interesting factors that are noteworthy and/or important.
License or registration?
The released version of the implementation for the Netherlands has chosen to follow a different path than the EU framework outlines: a registration instead of a licensing regime at De Nederlandsche Bank (DNB). The Ministry of Finance has not placed the implementation in the Financial Supervision Act (WFT) but has added it to the Anti-Money Laundering Act (WWFT). This was consulted with the market at the beginning of 2019 and it was then a matter of waiting for results.
It now appears that our Council of State has issued an advice correcting the proposed policy and also stated that a licensing regime does not match the EU directive. So the Ministry has taken a step back and has opted for the implementation of a registration regime. This tends very much towards a cut-and-paste since the registration regime turns out to be a de facto licensing regime. Registrations can be revoked, are subject to prior approval, and a prudential integrity regime has been added to the requirements.
Companies outside the Netherlands that do serve Dutch customers must also register for the registration. In addition, there will also be an obligation for exchange owners to declare how much interest they have in the company and will be required to report to the regulator when there are changes in ownership (this is also a cut-and-paste job of prudential regimens).
The Dutch Data Protection Authority doubts the legitimacy of the mass surveillance measures
The Dutch Data Protection Authority published a legislative advice that is very clear. They describe that fundamental problems have been identified and check whether the proposed measures are appropriate and sufficiently proportionate so that there is not too great an invasion of citizens’ privacy. They refer to the Digital Rights case and a judgment of the Court of Justice. The Dutch Data Protection Authority sees similarities because mass surveillance of EU and non-EU citizens is taking place and doubts whether the proposed regulation is sufficiently proportionate. This is made mandatory under the EU Charter of Fundamental Rights.
The Dutch Data Protection Authority describes that since the AMLD4 came into use, life on the privacy front has changed. We now have both GDPR and a clear guideline from the Court of Justice. This means that the balancing of law enforcement regulations with data protection regulations will change as a result. This is especially true for the situation where the measures are not aimed at a specific person, but at the entire population, where the rules for what can/cannot be done with the collection of data are very unclear.
The Dutch Data Protection Authority has an interesting approach in describing the tensions between the two rule sets. It provides a theoretical foundation for private players who may want to challenge the far-reaching AMLD5 regulations in court. It therefore recommends that this particular relevant issue be properly addressed at the review opportunity of the AMLD Directive, scheduled for January 11, 2022.
Formalities and transitional arrangement
The Ministry of Finance has not used the definition itself in the Directive. In addition, they went too far in detailing how it thought AMLD5 would work in the crypto sector. As a result, the text and wording have been adjusted and leave the details to the sector itself. A transitional regime has also been introduced whereby existing players in the sector receive an extra 6 months for the implementation of the AMLD5 regime.
